Assign Azure roles using the Azure portal

Azure role-based access control (Azure RBAC) is the authorization system you use to manage access to Azure resources. To grant access, you assign roles to users, groups, service principals, or managed identities at a particular scope. This article describes how to assign roles using the Azure portal.

If you need to assign administrator roles in Azure Active Directory, see Assign Azure AD roles to users.


To assign Azure roles, you must have:

Choose experience

Azure RBAC has a new experience for assigning Azure roles in the Azure portal that is currently in public preview. If you want to try this new experience, follow the steps on the (Preview) tab.

Step 1: Identify the needed scope

When you assign roles, you must specify a scope. Scope is the set of resources the access applies to. In Azure, you can specify a scope at four levels from broad to narrow: management group, subscription, resource group, and resource. For more information, see Understand scope.

Diagram showing the scope levels for Azure RBAC.

  1. Sign in to the Azure portal.

  2. In the Search box at the top, search for the scope you want to grant access to. For example, search for Management groups, Subscriptions, Resource groups, or a specific resource.

  3. Click the specific resource for that scope.

    The following shows an example resource group.

    Screenshot of resource group overview page.

Step 2: Open the Add role assignment pane

Access control (IAM) is the page that you typically use to assign roles to grant access to Azure resources. It's also known as identity and access management (IAM) and appears in several locations in the Azure portal.

  1. Click Access control (IAM).

    The following shows an example of the Access control (IAM) page for a resource group.

    Screenshot of Access control (IAM) page for a resource group.

  2. Click the Role assignments tab to view the role assignments at this scope.

  3. Click Add > Add role assignment. If you don't have permissions to assign roles, the Add role assignment option will be disabled.

    Screenshot of Add > Add role assignment menu.

    The Add role assignment pane opens.

    Screenshot of Add role assignment page with Role, Assign access to, and Select options.

Step 3: Select the appropriate role

  1. In the Role list, search or scroll to find the role that you want to assign.

    To help you determine the appropriate role, you can hover over the info icon to display a description for the role. For additional information, you can view the Azure built-in roles article.

    Screenshot of Select a role list in Add role assignment.

  2. Click to select the role.

Step 4: Select who needs access

  1. In the Assign access to list, select the type of security principal to assign access to.

    Type Description
    User, group, or service principal If you want to assign the role to a user, group, or service principal (application), select this type.
    User assigned managed identity If you want to assign the role to a user-assigned managed identity, select this type.
    System assigned managed identity If you want to assign the role to a system-assigned managed identity, select the Azure service instance where the managed identity is located.

    Screenshot of selecting a security principal in Add role assignment.

  2. If you selected a user-assigned managed identity or a system-assigned managed identity, select the Subscription where the managed identity is located.

  3. In the Select section, search for the security principal by entering a string or scrolling through the list.

    Screenshot of selecting a user in Add role assignment.

  4. Once you have found the security principal, click to select it.

Step 5: Assign role

  1. To assign the role, click Save.

    After a few moments, the security principal is assigned the role at the selected scope.

  2. On the Role assignments tab, verify that you see the role assignment in the list.

    Screenshot of role assignment list after assigning role.

Next steps